Authentication
API keys, organizations, and permissions.
API Keys
All gateway requests authenticate via API key in the Authorization header:
Authorization: Bearer sk-bc-YOUR_API_KEY
Key Format
BroadComms API keys use the prefix sk-bc- followed by a base64url-encoded random string. The full key is shown only once on creation. We store a SHA256 hash — if you lose the key, revoke it and create a new one.
Key Management
| Action | Where |
|---|---|
| Create key | Dashboard > API Keys > Create |
| List keys | Dashboard > API Keys |
| Revoke key | Dashboard > API Keys > Revoke button |
Organizations
Every API key belongs to an organization. When you create your first key, an organization is automatically created for you. Organizations control:
- Billing — subscriptions and usage are per-organization
- API keys — all keys in an org share the org's plan limits
- Team members — invite others to your organization
- Usage data — aggregated across all keys in the org
Roles & Permissions
| Role | Permissions |
|---|---|
| Owner | Full access: billing, delete org, manage members and keys |
| Admin | Manage members and keys, view usage |
| Member | Use keys, view usage |
| Viewer | Read-only access to usage data |
Rate Limits
Rate limits are enforced per API key in requests per minute (RPM):
| Plan | RPM |
|---|---|
| Free | 20 |
| Developer | 300 |
| Team | 1,500 |
| Enterprise | Custom |
Exceeded rate limits return 429 Too Many Requests with a Retry-After header.
Security Best Practices
- Never commit API keys to source control
- Use environment variables to store keys
- Create separate keys for development and production
- Revoke keys immediately if compromised
- Set expiration dates on keys when possible